Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need help on Trojan.Vundo [RESOLVED]

Started by ipeh , Oct 30 2007 08:44 AM

This topic is locked

#1
ipeh

Posted 30 October 2007 - 08:44 AM

Member

Member
32 posts

Hi guys,

I am a newbie here. And here are some details about what I am currently using: Windows 2000 SP4, Mozilla Firefox v. 2.0.0.8. I have IE v.6.0.2800.1106 installed but I never use it anymore.

A couple of days ago it seems that my PC got infected with Trojan.Vundo virus.
I had Norton Anti Virus installed and it caught some *.dll files but didn't seem to be able to do anything to remove it. (Sorry, I forgot to write down what the filenames are)

What I noticed was:
1. My PC was getting very very slow (especially when loading the Windows after I shut it down)
2. I wasn't able to open many web pages (just now I couldn't even post this, everytime I press the 'Post New Topic' button it always went to "Page not found", I'm now posting this from another computer)
3. I am using ACDSee as my default image viewer, and the icons of the image files in my PC suddenly changed from the ACDSee default icons to MS-Paint icons (--> I am not sure if this is caused by the trojan)

I uninstalled my Norton and installed Kaspersky Anti Virus. Kaspersky caught some files it claimed to be trojan/virus and asked me to remove them, so I did.

Then I installed SUPERAntiSpyware and scanned my computer. It caught "Adware.Vundo Variant" and deleted it.

Here's the log from the scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/30/2007 at 06:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3333
Trace Rules Database Version: 1260

Scan type : Complete Scan
Total Scan Time : 02:40:34

Memory items scanned : 111
Memory threats detected : 0
Registry items scanned : 5554
Registry threats detected : 1
File items scanned : 56280
File threats detected : 0

Adware.Vundo Variant
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{F4002052-AB29-4B33-8C8D-0E99084564EC}

I am not sure whether my PC is now clean or not, and hoping someone can help me have a look at my HJT log below.

Logfile of HijackThis v1.99.1
Scan saved at 21:17, on 2007-10-30
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
e:\ProShowGold\ScsiAccess.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3C2.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\ipeh\My Documents\Fixing vundo Problems\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV04.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FreshDownload - {DE8A5E4B-EABA-48C8-8B88-C96DC7D70061} - C:\Program Files\FreshDevices\FreshDownload\fd.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{26357473-AAE8-432F-AE0D-F6E6C086A79F}: NameServer = 202.155.0.10,202.155.0.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{26357473-AAE8-432F-AE0D-F6E6C086A79F}: NameServer = 202.155.0.10,202.155.0.15
O17 - HKLM\System\CS2\Services\Tcpip\..\{26357473-AAE8-432F-AE0D-F6E6C086A79F}: NameServer = 202.155.0.10,202.155.0.15
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - E:\PCAnywhere\awhost32.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HDD Information Service (HDDSvc) - AltrixSoft (http://www.altrixsoft.com/) - C:\WINNT\system32\HDDSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: ScsiAccess - Unknown owner - e:\ProShowGold\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Any help would be greatly appreciated.
Thanks a lot guys.

ipeh

#2
greyknight17

Posted 30 October 2007 - 04:24 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Let's see what we can find

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should NOT have any open browsers when you are following the procedures below.

Download VundoFix at http://www.atribune..../click.php?id=4 and save it to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files. Click Yes.
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer. Click OK.
- Post the contents of C:\vundofix.txt here.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears upon rebooting.

#3
ipeh

Posted 30 October 2007 - 06:23 PM

Member

Topic Starter
Member
32 posts

Hi greyknight17,

Thanks for replying.

I did everything you asked me to do and here's the log:

========================
VundoFix V6.5.11

Checking Java version...

Scan started at 07:09:59 2007-10-31

Listing files found while scanning...

No infected files were found
=========================

But I'm still not able to open many web sites (eg. ebay, geekstogo, sometimes yahoo mail)

Do I need to do anything else?

Thx a lot!

ipeh

#4
greyknight17

Posted 31 October 2007 - 05:57 PM

Malware Expert

Visiting Consultant
16,560 posts

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

Post a new HijackThis log.

#5
ipeh

Posted 31 October 2007 - 08:57 PM

Member

Topic Starter
Member
32 posts

Thanks for your reply greyknight17!

I ran ComboFix, but in the middle of the scan, there was an error message saying something like "cannot access to the file because it is shutting down" or something like that. It was fast, the next thing I know my PC was restarting. But after I log back in, the scan continued. The file it was referring to was "nircmd", but I can't remember whether it was .dll or .exe.
Is this normal?

Anyway, it finished the scan and produced the log.

Here it is:

ComboFix 07-11-01.1** - ipeh 2007-11-01 9:33:33.1 - FAT32x86
Running from: C:\Documents and Settings\ipeh\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin18.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin20.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin21.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin22.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin23.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin24.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin25.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin26.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin27.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin28.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin29.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin9.zip
C:\WINNT\system32\FTPx.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 09:31 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-01 06:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-31 22:09 <DIR> d-------- C:\Documents and Settings\ipeh\Application Data\AVG7
2007-10-31 22:08 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\AVG7
2007-10-31 22:08 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-10-31 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-31 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-31 10:48 <DIR> d-------- C:\kav
2007-10-31 10:25 202,240 --ah----- C:\setup95.exe
2007-10-31 07:09 <DIR> d-------- C:\VundoFix Backups
2007-10-30 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-10-30 16:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-30 05:58 108,021 ---hs---- C:\WINNT\system32\lmllm.ini2
2007-10-30 05:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-29 16:39 96,828 ---hs---- C:\WINNT\system32\bdeeg.bak1
2007-10-29 15:53 97,074 ---hs---- C:\WINNT\system32\lmllm.bak1
2007-10-26 15:41 97,665 ---hs---- C:\WINNT\system32\svvwa.bak2
2007-10-25 15:40 96,828 ---hs---- C:\WINNT\system32\svvwa.bak1
2007-10-09 16:21 <DIR> d-------- C:\Documents and Settings\ipeh\Application Data\eMusic
2007-10-09 16:20 <DIR> d-------- C:\Program Files\eMusic Remote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 13:45 78,415 ----a-w C:\WINNT\system32\drivers\klif.cab
2007-10-30 08:26 64 ----a-w C:\ComboFix.txt.bat
2007-09-25 13:25 --------- d-----w C:\Program Files\Absolute Video to Audio Converter
2007-09-11 13:30 --------- d-----w C:\Program Files\FLV to AVI MPEG WMV 3GP MP4 iPod Converter
2007-09-06 12:44 --------- d-----w C:\Program Files\DLDIrc
2007-09-05 12:55 --------- d-----w C:\Program Files\BatchDPG
2007-09-05 12:54 --------- d-----w C:\Program Files\AviSynth 2.5
2007-08-08 09:45 673,546 ----a-w C:\WINNT\unins000.exe
2007-04-26 08:39 87,608 ----a-w C:\Documents and Settings\ipeh\Application Data\ezpinst.exe
2007-04-26 08:39 47,360 ----a-w C:\Documents and Settings\ipeh\Application Data\pcouffin.sys
2006-09-03 00:15 81,920 ----a-w C:\Documents and Settings\galee\Application Data\ezpinst.exe
2006-09-03 00:15 47,360 ----a-w C:\Documents and Settings\galee\Application Data\pcouffin.sys
2006-07-31 09:49 333,312 ----a-w C:\Program Files\pdfmark.exe
2005-07-18 02:33 271 ---h--w C:\Program Files\desktop.ini
2005-07-18 02:33 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 05:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-14 19:31:20 27,648 --sha-w C:\WINNT\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"RegistryMechanic"="" []
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [07-06-18 15:10 ]
"nwiz"="nwiz.exe" [06-08-11 20:43 C:\WINNT\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [99-12-07 12:00 C:\WINNT\system32\rundll32.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-10-31 22:07 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [07-06-25 22:52 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(4).lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV04.EXE [2000-02-03 01:11:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);C:\WINNT\system32\DRIVERS\SONYPVM1.SYS
R0 viasraid;viasraid;C:\WINNT\system32\DRIVERS\viasraid.sys
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S1 cdawdm;cdawdm;C:\WINNT\system32\DRIVERS\cdawdm.sys
S3 FreshIO;FreshIO;\??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
S3 viafilter;VIA USB Filter;C:\WINNT\system32\Drivers\viausb.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 09:46:22
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 9:48:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-10-30 15:33
.
--- E O F ---

It also gave me the quarantined files log.
I am also going to attach it and the HJT on my next posts so this doesn't get too long.

#6
ipeh

Posted 31 October 2007 - 08:59 PM

Member

Topic Starter
Member
32 posts

The quarantined files log:

01-06-07 08:28	   50740	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\dcjomvri.dll.vir
02-06-07 20:02	   685695	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\pqtss.bak2.vir
02-12-05 01:16	   40960	--a------	C:\Qoobox\Quarantine\C\WINNT\DOWNLO~1\cnsio.dll_tobedeleted.vir
02-12-05 01:17	   45056	--a------	C:\Qoobox\Quarantine\C\WINNT\DOWNLO~1\CnsMinIO.dll_tobedeleted.vir
05-06-07 14:46	   655150	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\pqtss.ini.vir
05-06-07 14:46	   655150	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\pqtss.ini2.vir
05-06-07 14:46	   655150	--ahs----	C:\Qoobox\Quarantine\C\WINNT\system32\pqtss.tmp.vir
06-12-05 15:37	   26764	--a------	C:\Qoobox\Quarantine\C\WINNT\DOWNLO~1\CnsMinIdn.cab.vir
06-12-05 15:37	   516	--a------	C:\Qoobox\Quarantine\C\WINNT\cnsinfo.dat.vir
08-03-07 14:22	   1	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\bund1\temp.txt.vir
10-12-05 09:30	   21	--a------	C:\Qoobox\Quarantine\C\WINNT\DOWNLO~1\CnsUp.ini.vir
12-07-05 17:59	   151552	--a------	C:\Qoobox\Quarantine\C\WINNT\DOWNLO~1\CnsMin.dll_tobedeleted.vir
21-06-05 17:17	   49152	--a------	C:\Qoobox\Quarantine\C\WINNT\DOWNLO~1\CnsMinEx.dll_tobedeleted.vir
21-06-05 17:42	   28672	--a------	C:\Qoobox\Quarantine\C\WINNT\DOWNLO~1\CnsMinSV.dll_tobedeleted.vir
23-01-07 20:03	   1102	--a------	C:\Qoobox\Quarantine\C\INSTALL.LOG.vir
24-05-07 21:47	   285268	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\sstqp.dll.vir
24-05-07 21:48	   641136	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\pqtss.bak1.vir
31-05-07 10:09	   50740	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\aohtadwx.dll.vir


Folder PATH listing for volume SUNTER
Volume serial number is 0006FE80 98BE:E642
C:\QOOBOX
\---Quarantine
	+---Registry_backups
	\---C
		|   INSTALL.LOG.vir
		|   
		+---WINNT
		|   |   cnsinfo.dat.vir
		|   |   
		|   +---DOWNLO~1
		|   |	   CnsUp.ini.vir
		|   |	   CnsMinIdn.cab.vir
		|   |	   cnsio.dll_tobedeleted.vir
		|   |	   CnsMinSV.dll_tobedeleted.vir
		|   |	   CnsMinIO.dll_tobedeleted.vir
		|   |	   CnsMinEx.dll_tobedeleted.vir
		|   |	   CnsMin.dll_tobedeleted.vir
		|   |	   
		|   \---system32
		|	   |   dcjomvri.dll.vir
		|	   |   aohtadwx.dll.vir
		|	   |   pqtss.bak2.vir
		|	   |   pqtss.bak1.vir
		|	   |   pqtss.ini2.vir
		|	   |   pqtss.ini.vir
		|	   |   sstqp.dll.vir
		|	   |   
		|	   \---bund1
		|			   temp.txt.vir
		|			   
		\---avenger

#7
ipeh

Posted 31 October 2007 - 09:01 PM

Member

Topic Starter
Member
32 posts

And here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:51:32 AM, on 11/1/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
e:\ProShowGold\ScsiAccess.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3C2.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Documents and Settings\ipeh\My Documents\Fixing vundo Problems\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV04.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FreshDownload - {DE8A5E4B-EABA-48C8-8B88-C96DC7D70061} - C:\Program Files\FreshDevices\FreshDownload\fd.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{26357473-AAE8-432F-AE0D-F6E6C086A79F}: NameServer = 202.155.0.10,202.155.0.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{26357473-AAE8-432F-AE0D-F6E6C086A79F}: NameServer = 202.155.0.10,202.155.0.15
O17 - HKLM\System\CS2\Services\Tcpip\..\{26357473-AAE8-432F-AE0D-F6E6C086A79F}: NameServer = 202.155.0.10,202.155.0.15
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HDD Information Service (HDDSvc) - AltrixSoft (http://www.altrixsoft.com/) - C:\WINNT\system32\HDDSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: ScsiAccess - Unknown owner - e:\ProShowGold\ScsiAccess.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

Thanks very much for your help greyknight17!

ipeh

#8
greyknight17

Posted 01 November 2007 - 05:58 PM

Malware Expert

Visiting Consultant
16,560 posts

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

Delete this folder:

C:\QOOBOX

Download KillBox at http://www.greyknigh...spy/KillBox.exe Run KillBox and check the box that says End Explorer Shell While Killing File. Next click on Delete on Reboot. Select the below lines. Right click on them once all are selected and choose Copy:

C:\WINNT\system32\lmllm.ini2
C:\WINNT\system32\bdeeg.bak1
C:\WINNT\system32\lmllm.bak1
C:\WINNT\system32\svvwa.bak2
C:\WINNT\system32\svvwa.bak1

Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes. If you get a PendingOperations message, just close it and restart your computer manually.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

#9
ipeh

Posted 01 November 2007 - 07:08 PM

Member

Topic Starter
Member
32 posts

Hi greyknight17,

It looks okay, my PC is much faster now.

However, I still have the old problem though.. I still can't open many web sites.
For one, I still can't open geekstogo.com, so I still have to post this from another computer.
Yesterday, I couldn't open forums.techguy.org, but after I did what you asked me to do this morning, it finally worked.
I tried opening your website (greyknight17.com), ebay.com, www.toysrus.com.au, to no avail. It says "Server Not Found". Those were just to name a few.

The funny thing is, I tried to open www.typepad.com, it loaded but without the images (all text, just like opening web sites in mobile phones), tried refreshing it so many times but didn't change. Then I opened it with another computer and it loads just fine.

Do you know why this is?

I don't think the sites are blocked by my provider, because I can open them using this computer (also connected to the same modem).
Does it help to tell you that all the problems (spyware/trojan) started last Friday (Oct 26) the moment I changed my cable provider? Just so you know

Btw, what spyware did I have before? I'm curious

Thanks again for your help and I hope you can help me with this.

Take care,

ipeh

#10
greyknight17

Posted 01 November 2007 - 08:01 PM

Malware Expert

Visiting Consultant
16,560 posts

You had the Vundo infection....

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Download Hoster at http://www.greyknigh.../spy/Hoster.exe and run it. Click on Restore Original Hosts button and press OK.

See if you can visit those other sites you had problems with earlier.

#11
ipeh

Posted 01 November 2007 - 09:04 PM

Member

Topic Starter
Member
32 posts

Hi greyknight17,

It's still not working. Tried to open the sites with IE as well, but it didn't work too.

ipeh

#12
ipeh

Posted 01 November 2007 - 10:26 PM

Member

Topic Starter
Member
32 posts

Hi greyknight17,

I downloaded StopSign Threat Scanner and it's still scanning as I'm writing this post. Only up to 4% now.
It caught Trojan.PWS.Tanspy Software Package --> Possible Spyware Application.

This is a trial version and I think it asks us to pay to remove the trojan.

Do I need to worry about this trojan too?

Thx.

ipeh

#13
greyknight17

Posted 02 November 2007 - 03:29 PM

Malware Expert

Visiting Consultant
16,560 posts

No need to pay. We can usually resolve these issues using the free programs/tools available.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

#14
ipeh

Posted 02 November 2007 - 06:28 PM

Member

Topic Starter
Member
32 posts

Hi greyknight17,

Seems like pandasoftware.com is also one of the many sites that I cannot visit.
I tried to go in using IE and Firefox, but it gave me 'Page not found'.

Should I download the trial program?

Thx,

ipeh

#15
greyknight17

Posted 02 November 2007 - 08:03 PM

Malware Expert

Visiting Consultant
16,560 posts

Panda trial program?

For that other trial program, did it finish scanning? Does it provide a log at least? If so, post it here and we can try removing the infection manually.